Client side certificate revocation service
Abstract
A proxy revocation service provides a reliable service for performing revocation checks. The proxy revocation service queries public certificate authorities for the revocation status of a set of digital certificates and maintains a database of the revocation statuses. The proxy revocation service provides a singular endpoint that is Application Protocol Interface (API) accessible to web clients. Web clients communicate with the proxy revocation service through use of API message to perform revocation checks, rather than communicating with the public certificate authorities using an online certificate status protocol (OCSP). Use of the proxy revocation service provides both a reliable service for performing revocation checks as well as shifts the complexity away from the web clients.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method comprising:
receiving, by a client device, a digital certificate from an online service as part of a process to establish a secure connection between the client device and the online service;
querying a local cache of the client device for a revocation status of the digital certificate;
in response to querying the local cache, transmitting, by the client device, a revocation check request for the revocation status for the digital certificate, the revocation status indicating whether the digital certificate has been revoked, the revocation status having been obtained from a certificate authority by a certificate revocation service using an online certificate status protocol (OCSP), the certificate revocation service being separate from the client device and the certificate authority; and
determining, by one or more computer processors of the client device, whether to establish the secure connection between the client device and the online service based on the revocation status of the digital certificate by: determining that the digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open; and
in response to determining that digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open, disconnecting the client device from the online service.
2. The method of claim 1 , further comprising:
transmitting the revocation check request to the certificate revocation service, the revocation check request directed to a uniform resource identifier (URI) designated to the certificate revocation service; and
receiving the revocation status from the certificate revocation service.
3. The method of claim 1 , further comprising:
determining that the revocation status is available in the local cache; and
determining whether the revocation status has expired.
4. The method of claim 3 ,
further comprising:
determining that the revocation status of the digital certificate in the local cache has expired,
wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate in the local cache has expired.
5. The method of claim 1 ,
further comprising:
determining that the revocation status of the digital certificate is not available in the local cache, wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate is not available in the local cache.
6. A client device comprising:
one or more computer processors; and
one or more computer-readable mediums storing instructions that, when executed by the one or more computer processors, cause the client device to perform operations comprising:
receiving a digital certificate from an online service as part of a process to establish a secure connection between the client device and the online service;
querying a local cache of the client device for a revocation status of the digital certificate;
in response to querying the local cache, transmitting a revocation check request for the revocation status for the digital certificate, the revocation status indicating whether the digital certificate has been revoked, the revocation status having been obtained from a certificate authority by a certificate revocation service using an online certificate status protocol (OCSP), the certificate revocation service being separate from the client device and the certificate authority; and
determining whether to establish the secure connection between the client device and the online service based on the revocation status of the digital certificate by: determining that the digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open; and
in response to determining that digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open, disconnecting the client device from the online service.
7. The client device of claim 6 , further comprising:
transmitting the revocation check request to the certificate revocation service, the revocation check request directed to a uniform resource identifier (URI) designated to the certificate revocation service; and
receiving the revocation status from the certificate revocation service.
8. The client device of claim 6 , further comprising:
determining that the revocation status is available in the local cache; and
determining whether the revocation status has expired.
9. The client device of claim 8 ,
further comprising:
determining that the revocation status of the digital certificate in the local cache has expired,
wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate in the local cache has expired.
10. The client device of claim 6 ,
further comprising:
determining that the revocation status of the digital certificate is not available in the local cache, wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate is not available in the local cache.
11. A non-transitory computer-readable medium storing instructions that, when executed by one or more computer processors of a client device, cause the client device to perform operations comprising:
receiving a digital certificate from an online service as part of a process to establish a secure connection between the client device and the online service;
querying a local cache of the client device for a revocation status of the digital certificate;
in response to querying the local cache, transmitting, by the client device, a revocation check request for the revocation status for the digital certificate, the revocation status indicating whether the digital certificate has been revoked, the revocation status having been obtained from a certificate authority by a certificate revocation service using an online certificate status protocol (OCSP), the certificate revocation service being separate from the client device and the certificate authority; and
determining whether to establish the secure connection between the client device and the online service based on the revocation status of the digital certificate by: determining that the digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open; and
in response to determining that digital certificate is not revoked, the revocation status of the digital certificate is unknown, and the client device is not set to fail open, disconnecting the client device from the online service.
12. The non-transitory computer-readable medium of claim 11 , further comprising:
transmitting the revocation check request to the certificate revocation service, the revocation check request directed to a uniform resource identifier (URI) designated to the certificate revocation service; and
receiving the revocation status from the certificate revocation service.
13. The non-transitory computer-readable medium of claim 11 , further comprising:
determining that the revocation status is available in the local cache; and
determining whether the revocation status has expired.
14. The non-transitory computer-readable medium of claim 13 ,
further comprising:
determining that the revocation status of the digital certificate in the local cache has expired,
wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate in the local cache has expired.
15. The non-transitory computer-readable medium of claim 11 ,
further comprising:
determining that the revocation status of the digital certificate is not available in the local cache, wherein transmitting the revocation check request to the certificate revocation service is in response to determining that the revocation status of the digital certificate is not available in the local cache.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.